Back

Stephen I would like your opinion on the security of plain text creds on an the .env file. Even when you use a key vault to store credentials instead of the .env when the configuration gets cached those credentials will be stored on /boostrap/cache/config

Answered this one on Twitter, but so it's here too:

I don't have any problems with creds stored in the .env file. The nature of PHP means you don't really have any other choice anyway (as you pointed out), and if someone can read that file, they've already got too much access to your server.

You're adding needless complexity by trying to protect them elsewhere. And so many people waste time on methods to commit or manage creds locally, which I think introduces actual risks.

Instead, keep them only on prod and don't store them anywhere else.

Follow up:
"Absolutely agree with the complexity. I am trying to figure out a balanced approached for clients bothering me about creds being on the .env"

Massively over-quote the work involved in moving to a different solution? 🤣

That's a tough one. It's such a common recommendation, but in my professional opinion, it's complete rubbish. You're much better off focusing on securing the server itself than wasting time with creds.

2

230

0 / 1000

We have a larger app at work that connects to a lot of other services within the company. With dev, staging and prod it gets confusing, especially with multiple developers. It's environment specific config and creds, etc. I'm thinking of just putting the bare minimum to boot our app in the .env and everything else into a env table and use a FILAMENT crud to manage it. I haven't decided 100% so I'm curious what other people are doing too.

1

27

I'll advise against credentials on db. Getting them is so much slower than just having them ready. I don't know what your pipeline of servers are like but a php artisan optimize makes things much faster

1

53

@danielpetrica Yeah, We run php artisan optimize every deploy. And the values would still be cached even if put in a db. So I don't think this would be any major slow down. But that's a really good concern, I need to make sure I set it up so that the caching part still works.

1

130

ok then, then yes after the optimize there should be no slowdown on the app from having the envs there

81

I agree with you on this, the only addition I'll make is secure your app minimal security at least. I saw download functions in production allow path traversal and returing the config file or .env file

38